HOWTO solve identity theft: make banks responsible

Bruce Schneier's op-ed on CNet about identity theft talks about why "two-factor" authentication (e.g. having to enter a password and a number that you read off of a little keychain fob) is useful for lots of things, but not for preventing identity theft. He goes on to explain how to practically solve identity theft through new liability measures:

Criminals impersonate legitimate users to financial intuitions. That means that any solution can't involve the account holders. That leaves only one reasonable answer: Financial intuitions need to be liable for fraudulent transactions.

They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions. They can't say that the user must keep his password secure or his machine virus-free. They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards.

Those aren't reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.

If you think this won't work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They're not hurting for business; and they're not drowning in fraud, either. They've developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. And they've pushed most of the actual costs onto the merchants.


(via Cryptogram)